Facebook has fixed a critical flaw in the Facebook Messenger for Android messaging app. Natalie Silvanovich of Google’s Project Zero reported the bug to the Facebook bug bounty program. The bug could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser).
It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out. To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.